The challenge

Software failures and cyber attacks

As more features are included in software systems, the software becomes larger and more complex.

Complexity makes dependability more difficult and can lead to increased failure points. Failure or misbehaviour of software systems can have significant consequences such as leakage of sensitive information and can open up these systems to cyber-attack.

At the very least, for systems on critical devices, we must build trustworthy systems that we can depend on to perform safely and as expected.

Our response

Design and isolation for verification

For truly dependable systems, the software must be trustworthy; we must be able to provide the guarantee that it behaves correctly and has the required security and safety properties. These guarantees can be provided through testing, certification and formal verification.

Formal software verification, using machine-checked mathematical proof, provides the strongest guarantees of software properties. However, it is not feasible to formally verify all the code in a real system, particularly large and complex systems. Therefore design for verification is crucial.

The key strategy for such design is to reduce the trusted computing base (TCB) – the part of the system that can break security or safety if it misbehaves. In many systems the TCB is large but in well-designed systems it is minimal and suitable for formal verification.

The results

seL4 for dependable systems software

Our scientists developed the seL4 microkernal which provides the necessary minimal TCB.

They did this by splitting systems into critical (trusted) and uncritical parts. The software that executes the system’s critical functions must be trusted to have the required security and safety properties and its execution must not be affected by any failures in the non-critical code.

Sel4 provides the secure software base that enforces separation between trusted and untrusted parts of a system. SeL4 builds on 15 years experience with the L4 microkernel and it is unique. It is the only operating system that has undergone formal verification, proving bug-free implementation and enforcement of spatial isolation ensuring data confidentiality and integrity. It is also the first protected-mode operating system with a sound timeliness analysis.

SeL4 was released under open-source (GPL2) licence in mid-2014, proprietary licences are also available through General Dynamics.

SeL4's predecessor, OKL4, created by the same team, has been deployed on billions of mobile and connected devices.